Nothing got rid of it. Only reason I eventually found the file at all is that it showed up in DaisyDisk (it didn't in other mappers).

Question is => is it safe top delete /private/var/audit/20110423020458.crash_recovery ?

I know there is various Unix core stuff in /private, but that is about the limit of my knowledge there. I've got all manner of good backups (CCL, Time Machine, Dropbox) – so I'm not as worried about data loss as I am jsut anxious to get my system back (everything working normal except disk space issued...booted from external drive and deleted 5GB to make some breathing room).

As you're able to boot from an external drive, what I would do is: move the file to another disk and reboot. If nothing happens (for a few weeks just to be sure) I'd be convinced to delete the file from the other HDD. If something fails I'd boot from the external drive and move the file back. Sadly I have no first-hand experience on this.
–
koiyuApr 24 '11 at 12:23

1 Answer
1

Yes. You have enabled auditing somewhere along the line, being a wise person, but you have not trimmed the file, being a human, like I. Note the instant edit ;)

man -k audit

if you can get a shell will show you where you need to go

( look at them on the apple dev site )

i think here you want

audit -e

to get rid of your old audit files.

From the man page:

The audit utility controls the state of the audit system. One of the
following flags is required as an argument to audit:

-e Forces the audit system to immediately remove audit log files
that meet the expiration criteria specified in the audit control
file without doing a log rotation.
-i Initializes and starts auditing. This option is currently for
Mac OS X only and requires auditd(8) to be configured to run
under launchd(8).
-n Forces the audit system to close the existing audit log file and
rotate to a new log file in a location specified in the audit
control file. Also, audit log files that meet the expiration
criteria specified in the audit control file will be removed.
-s Specifies that the audit system should [re]synchronize its con-
figuration from the audit control file. A new log file will be
created.
-t Specifies that the audit system should terminate. Log files are
closed and renamed to indicate the time of the shutdown.